Wine being targeted for adware
Nicholas LaRoche
nlaroche at vt.edu
Wed Jan 14 14:07:06 CST 2009
Stefan Dösinger wrote:
>> As long as the facilities exist for keeping an entire wine bottle
>> isolated from other bottles (and ~/) I don't see this being a major
>> issue.
> They don't.
>
> Even if you don't have a drive link pointing out of a bottle, a Windows app
> running in Wine can still call Linux syscalls(int 0x80). This is
> possible/needed because Windows apps run as a regular Linux process that
> links in Linux libraries which perform linux syscalls.
>
> So any Windows malware can break out of the Wine "sandbox"(which isn't a
> sandbox really) by simply using linux syscalls.
>
>
>
On more recent distros (FC9/10) SELinux is enabled by default. Rolling a
policy specifically for an untrusted bottle would severely limit the
damage it could do. It could restrict all unnecessary read/write/execute
access outside of the ~/.wine folder for wineserver and the program.
I see your point though, since none of the aforementioned security
precautions are commonplace or specifically targeted to wine.
More information about the wine-devel
mailing list